[Freeipa-devel] [PATCH] 290 set cert_t context on some files for selfsign plugin

[Jenny Galipeau]

Rob Crittenden wrote:
> Jenny Galipeau wrote:
>> John Dennis wrote:
>>> On 10/08/2009 05:22 PM, Rob Crittenden wrote:
>>>> John Dennis wrote:
>>>>> Thanks Rob. BTW, I was going to add a try/except block around that
>>>>> code in selfsign and return a non-zero status if it fails. Do we have
>>>>> predefined status codes I should be using?
>>>>>
>>>>
>>>> I'm assuming you mean around the certs.next_serial() call?
>>>
>>> yes
>>>
>>>> Not really sure. This is really a "server blew up" sort of error, I'm
>>>> not sure what the best thing to return to the client is in this 
>>>> case. I
>>>> think something that says "the server is hosed, you can't fix it from
>>>> there" sort of error would be nice. AFAIK we don't currently define 
>>>> such
>>>> a beastie.
>>>
>>> Well, looking at errors.py it looks like it should be an 
>>> ExecutionError in the 4000-4999 range. How about adding 
>>> UnableToCompleteCertificateOperation as a generic error for any 
>>> certificate operation we can't run to completion,
>> It would also be nice to reference the log, as in "Please see 
>> mylog.log for details."
>
> Well, this is a pretty common, generic problem. We don't want to give 
> too many specifics to a client. The assumption is that they'll go bug 
> their administrator.
Ah yes ... forgot it was the client!
>
> We could add the "See your system administrator" but that is truly 
> annoying when you're the administrator trying to debug the problem. 
> I myself have shouted any number of time "But I *am* the %#$@!@ system 
> administrator" when presented with similar messages on other systems.
:-) hehe ... I guess it is most likely that an admin will be running the 
ipa join command - true?
>
> What we'll have to do is document somewhere that tracebacks can be 
> found in the Apache error log.
>
> rob


-- 
Jenny Galipeau <jgalipea at redhat.com>
Principal Software QA Engineer
Red Hat, Inc. Security Engineering